#27909 include in 23.10.24

dotCMS · Apr 3, 2024 · dc46559 · dc46559
1 parent ab69d53
commit dc46559
Show file tree

Hide file tree

Showing 4 changed files with 245 additions and 60 deletions.
diff --git a/dotCMS/hotfix_tracking.md b/dotCMS/hotfix_tracking.md
@@ -85,4 +85,5 @@ This maintenance release includes the following code fixes:
 78. https://github.com/dotCMS/core/issues/27384 : Update local.dotcms.site SSL cert for 2024 #27384
 79. https://github.com/dotCMS/core/issues/26004 : Image field doesn't export as a header in CSV #26004
 80. https://github.com/dotCMS/core/issues/23195 : Site Browser: Slow loading folder with many items #23195
-81. https://github.com/dotCMS/core/issues/27894 : Security: Critical Vulnerability in Postgres JDBC Driver #27894
+81. https://github.com/dotCMS/core/issues/27894 : Security: Critical Vulnerability in Postgres JDBC Driver #27894
+82. https://github.com/dotCMS/core/issues/27909 : Invalid role check when accessing resource #27909
diff --git a/dotCMS/src/integration-test/java/com/dotcms/rest/WebResourceIntegrationTest.java b/dotCMS/src/integration-test/java/com/dotcms/rest/WebResourceIntegrationTest.java
@@ -4,6 +4,8 @@
 import static org.junit.Assert.assertTrue;
 
 import com.dotcms.IntegrationTestBase;
+import com.dotcms.rest.WebResource.InitBuilder;
+import com.dotmarketing.business.Role;
 import com.dotmarketing.exception.InvalidLicenseException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -31,6 +33,7 @@ public class WebResourceIntegrationTest extends IntegrationTestBase {
   private static User backEndUser = null;
   private static User cmsAnon = null;
   private static User apiUser = null;
+  private static User cmsAdmin = null;
 
   @CloseDB
   @BeforeClass
@@ -51,11 +54,15 @@ public static void init() throws Exception {
     apiUser = new UserDataGen().nextPersisted();
 
     cmsAnon = APILocator.getUserAPI().getAnonymousUser();
-
-
+    cmsAdmin = new UserDataGen().nextPersisted();
+    APILocator.getRoleAPI().addRoleToUser(APILocator.getRoleAPI().loadBackEndUserRole(), cmsAdmin);
+    APILocator.getRoleAPI().addRoleToUser(APILocator.getRoleAPI().loadCMSAdminRole(), cmsAdmin);
+
     assertTrue("backEndUser has backend role", backEndUser.isBackendUser());
-    
+
     assertTrue("frontEndUser has frontEnd role", frontEndUser.isFrontendUser());
+
+    assertTrue("cmsAdmin has CMS_Admin role", cmsAdmin.isAdmin());
   }
 
   private HttpServletRequest anonymousRequest() {
@@ -75,6 +82,12 @@ private HttpServletRequest backEndRequest() {
     request.setAttribute(WebKeys.USER, backEndUser);
     return request;
   }
+
+  private HttpServletRequest adminRequest() {
+    final HttpServletRequest request = anonymousRequest();
+    request.setAttribute(WebKeys.USER, cmsAdmin);
+    return request;
+  }
 
   private HttpServletRequest apiRequest() {
     final HttpServletRequest request = anonymousRequest();
@@ -157,6 +170,116 @@ public void disallow_apiUser_access_server_if_only_allowFrontEndUser() throws Ex
         .init();
   }
 
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void test_checkAnonymousPermissions_NONE() throws Exception {
+    Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, NONE);
+    final InitBuilder initBuilder = new WebResource.InitBuilder()
+            .rejectWhenNoUser(true)
+            .requestAndResponse(anonymousRequest(), response);
+
+    new WebResource().checkAnonymousPermissions(initBuilder,APILocator.getUserAPI().getAnonymousUser() );
+
+  }
+
+  @Test
+  public void test_checkAnonymousPermissions_READ_works() throws Exception {
+    Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, READ);
+    final InitBuilder initBuilder = new WebResource.InitBuilder()
+            .requiredAnonAccess(AnonymousAccess.READ)
+            .requestAndResponse(anonymousRequest(), response);
+
+    new WebResource().checkAnonymousPermissions(initBuilder,APILocator.getUserAPI().getAnonymousUser() );
+    assertTrue("Anonymous read should be allowed", true);
+  }
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void test_checkAnonymousPermissions_READ_fails_when_write_requested() throws Exception {
+    Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, READ);
+    final InitBuilder initBuilder = new WebResource.InitBuilder()
+            .requiredAnonAccess(AnonymousAccess.WRITE)
+            .requestAndResponse(anonymousRequest(), response);
+
+    new WebResource().checkAnonymousPermissions(initBuilder,APILocator.getUserAPI().getAnonymousUser() );
+    assertTrue("Anonymous read should be allowed", true);
+  }
+
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void test_checkAnonymousPermissions_fails_when_reject_with_no_user() throws Exception {
+    Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, READ);
+    final InitBuilder initBuilder = new WebResource.InitBuilder()
+            .rejectWhenNoUser(true)
+            .requestAndResponse(anonymousRequest(), response);
+
+    new WebResource().checkAnonymousPermissions(initBuilder,APILocator.getUserAPI().getAnonymousUser() );
+    assertTrue("Anonymous read should be allowed", true);
+  }
+
+  @Test
+  public void allow_cms_admin_when_specified() throws Exception {
+
+    InitDataObject initDataObject =
+            new WebResource.InitBuilder()
+                    .requestAndResponse(adminRequest(), response)
+                    .requireAdmin(true)
+                    .init();
+    assertEquals("CMS Admin should be allowed", initDataObject.getUser(), cmsAdmin);
+
+  }
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void disallow_backend_access_server_if_multiple_required_roles_include_cmsAdmin() throws Exception {
+
+    final InitDataObject initDataObject = new WebResource.InitBuilder()
+            .requiredRoles(Role.CMS_ADMINISTRATOR_ROLE, Role.DOTCMS_BACK_END_USER)
+            .requestAndResponse(backEndRequest(), response)
+            .init();
+  }
+
+
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void disallow_backend_access_server_if_backendUser_tries_to_access_cmsadmin() throws Exception {
+
+    final InitDataObject initDataObject = new WebResource.InitBuilder()
+            .requiredBackendUser(true)
+            .requireAdmin(true)
+            .requestAndResponse(backEndRequest(), response)
+            .init();
+  }
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void disallow_backend_access_server_if_frontendUser_tries_to_access_cmsadmin() throws Exception {
+
+    final InitDataObject initDataObject = new WebResource.InitBuilder()
+            .requiredBackendUser(true)
+            .requireAdmin(true)
+            .requestAndResponse(frontEndRequest(), response)
+            .init();
+  }
+
+  @Test(expected = com.dotcms.rest.exception.SecurityException.class)
+  public void disallow_backend_access_server_if_anon_tries_to_access_cmsadmin() throws Exception {
+
+    final InitDataObject initDataObject = new WebResource.InitBuilder()
+            .requiredBackendUser(true)
+            .requireAdmin(true)
+            .requestAndResponse(anonymousRequest(), response)
+            .init();
+  }
+
+
+
+  public void allow_backend_access_server_if_cmsadmin_tries_to_access_cmsadmin() throws Exception {
+
+    final InitDataObject initDataObject = new WebResource.InitBuilder()
+            .requiredBackendUser(true)
+            .requireAdmin(true)
+            .requestAndResponse(adminRequest(), response)
+            .init();
+    assertEquals("CMS Admin should be allowed", initDataObject.getUser(), cmsAdmin);
+  }
+
   @Test
   public void allow_front_end_by_defualt() throws Exception {